X

Australia’s biggest bank lost records for 20 million accounts

The Commonwealth Bank lost records for 12 million customers -- almost half the Australian population -- after two magnetic tapes were misplaced.

Claire Reilly Former Principal Video Producer
Claire Reilly was a video host, journalist and producer covering all things space, futurism, science and culture. Whether she's covering breaking news, explaining complex science topics or exploring the weirder sides of tech culture, Claire gets to the heart of why technology matters to everyone. She's been a regular commentator on broadcast news, and in her spare time, she's a cabaret enthusiast, Simpsons aficionado and closet country music lover. She originally hails from Sydney but now calls San Francisco home.
Expertise Space, Futurism, Science and Sci-Tech, Robotics, Tech Culture Credentials
  • Webby Award Winner (Best Video Host, 2021), Webby Nominee (Podcasts, 2021), Gold Telly (Documentary Series, 2021), Silver Telly (Video Writing, 2021), W3 Award (Best Host, 2020), Australian IT Journalism Awards (Best Journalist, Best News Journalist 2017)
Claire Reilly
3 min read
Commonwealth Bank sign

Australia's biggest bank has been hit with a major data breach.

Getty Images

Australia's biggest bank has admitted to losing the financial records of almost 20 million customer accounts after a subcontractor lost two magnetic tape drives containing the data in 2016.

The Commonwealth Bank (CBA) confirmed the news on Thursday after Buzzfeed News exposed the breach, reporting that 12 million Australians -- or half the Australian population -- was affected. 

In a statement, CBA said the data included customer names, addresses, account numbers and 16 years of transaction information used to print customer account statements (dating from 2000 to early 2016). CBA said it informed Australia's Privacy Commissioner when it became aware of the breach in May 2016, but "a decision was made not to alert customers."

The magnetic tapes were lost by subcontractor Fuji Xerox during the process of decommissioning one of CBA's data centres. When CBA could not confirm the tapes had been destroyed, the bank hired accounting firm KPMG to conduct a forensic investigation. According to CBA, KPMG found the "most likely scenario was the tapes had been disposed of."

However, Buzzfeed News reports that one of the possible scenarios investigated by KPMG was that the tapes fell off the back of a truck when they were being transported to be destroyed.

The bank says the data did not include passwords, PINs or other information that could "enable account fraud" and it was monitoring the 19.8 million customer accounts involved for suspicious activity.

Watch this: Here be monsters: A guide to the dark web

The incident represents one of the largest data and privacy breaches in Australian history and comes at a bad time for the bank.

Over the past two months, CBA has appeared before a major government-backed inquiry into misconduct in the banking industry, facing allegations of money laundering and charging fees to dead clients. Australia's top financial regulator APRA released an excoriating report on CBA this week slamming a "widespread sense of complacency" at the bank, with Australia's Treasurer Scott Morrison saying he expected top executives at CBA would step down.

In relation to this fresh privacy scandal, CBA said on Thursday "no evidence was found of any customer information being compromised, and over the past two years there has been no evidence of customer harm or suspicious account activity."

But as breach after breach has shown us in recent months and years, customers are no longer just concerned about having traditionally sensitive details like passwords compromised.

In an era when identity theft is a growing threat and personal information is sold on the dark web as a valuable commodity, a data breach of this size is deeply concerning for customers. Criminals can build a detailed profile of a person with information like a name and address (not to mention 16 years of financial records) and a PIN isn't needed to do serious damage.

While CBA continues to monitor accounts and reassures customers that the tapes were "most likely disposed of," the concerning fact remains -- we may never know.

CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.

Rebooting the Reef: CNET dives deep into how tech can help save Australia's Great Barrier Reef.